Distributed System and Method for Tracking and Blocking Malicious Internet Hosts

ABSTRACT

Disclosed are systems and methods to perform coordinated blocking of source addresses, such as an Internet Protocol (IP) addresses, across a plurality of network appliances (e.g., gateways). In one disclosed embodiment the method and system temporarily alter a configuration of one or more network appliances (based on user defined configuration parameters) to allow communication from a “blocked” IP address for a period of time. A network appliance can then “receive” an email and perform analysis and provide results of the analysis to a reputation service. Thereby, the temporarily allowed communication can be used to learn information about a threat which would not have been available if all communication from that IP address had actually been blocked at the network appliance.

FIELD OF DISCLOSURE

This disclosure relates generally to the field of reputation services toinfluence an individual network appliance (gateway) to control whetherit should block a specific source communication (e.g., a source with aparticular Internet Protocol (IP) address) while still protecting theend user from an identified threat. More particularly, but not by way oflimitation, this disclosure relates to systems and methods totemporarily alter a configuration of one or more network appliances(based on user defined configuration parameters) to allow communicationfrom a “blocked” IP address for a period of time. The temporarilyallowed communication can be used to learn information about a threatwhich would not have been available if all communication from that IPaddress had actually been blocked at the network appliance.

BACKGROUND

Currently, an Email and Web Security (EWS) appliance may be configuredto block an Internet Protocol (IP) source address for a configurableamount of time (e.g., 10 minutes) when it detects some form of threat. Acentralized system and method for determining overall threats (e.g., aGlobal Threat Intelligence (GTI) system as provided by McAfee, Inc. ofSanta Clara, Calif.) uses a received Email (not at an end-user but at aprocessor to perform analysis) to generate a fingerprint of the Email.These fingerprints may be used by GTI to gain an accurate picture of thethreats traversing the Internet at any one time.

However, if an IP address is completely blocked at all networkappliances (sometimes called gateways), the appliance cannot receive theEmail from the IP address and therefore cannot fingerprint the data tosend to the GTI. Furthermore, currently all network appliances workindependently and could all be blocking the same IP address. As aresult, new threats may not be effectively being fingerprinted and a GTIcould be starved of data, likely reducing effectiveness of the GTI.

There are currently no known prior art solutions that specificallyinstruct individual appliances whether or not to block IP addresses in acoordinated fashion. Current centralized solutions provide the sameresponse to all gateway appliances and let the configuration of theindividual gateway determine whether the IP should be blocked. Oneproblem with this model is that both a TrustedSource™ and a GTI may notreceive enough information about potential threats (TrustedSource is atrademark of McAfee, Inc.).

To solve these and other problems, methods and systems are disclosed toprovide a centralized management system for network appliances wherebydifferent network appliances can be instructed in a coordinated mannerto temporarily change their configuration, gather information fromparticular IP addresses, and then resume their previously configuredblocking function.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a network architecture accordingto one embodiment.

FIG. 2 is a block diagram illustrating a computer on which softwareaccording to one embodiment may be installed.

FIG. 3 is a block diagram of a Global Threat Intelligence (GTI) cloudaccording to one embodiment.

FIG. 4A is a flowchart illustrating a prior art technique for blockingof IP addresses at an individual gateway.

FIG. 4B is a flowchart illustrating a technique for coordinated blockingof IP addresses according to one disclosed embodiment.

FIG. 5 is a block diagram illustrating a plurality of networks connectedto the Internet via a plurality of network appliances configured toperform coordinated blocking utilizing the technique of FIG. 4B.

DETAILED DESCRIPTION

Various embodiments, described in more detail below, provide a techniquefor performing a centralized and coordinated analysis of email messagesfrom identified IP addresses. Even though this disclosure refers to “IP”addresses specifically, concepts of this disclosure are not tied to anyparticular version of IP (e.g., IPv4, IPv6, etc.) and may also beapplicable to other network technologies and protocols. References to IPaddresses, such as “blocked” IP address, are used for clarity. Specificreferences to an IP address can also be thought of to include anyoriginating source address or other type of “designation of origination”regarding potentially malicious content.

The implementation of disclosed embodiments could utilize a “cloud” ofresources for centralized management and analysis. Individual sites orinternal networks interacting with the cloud need not be concerned withthe internal structure of resources in the cloud and can participate ina coordinated manner to ascertain a more global view of potentialthreatening “rouge hosts” on the Internet. If the analysis identifies aneed for further information about a blocked IP address, a resource(e.g., network appliance) can be temporarily (re)configured such that itdoes not block the suspected IP address 100% of the time and thus allowfor further gathering of information to enhance a collective view of thepotential threat. For simplicity and clearness of disclosure,embodiments are disclosed primarily for an email intended for aparticular recipient from a particular source host. However, a user'srequest for a web page or content (such as download of an executable)could similarly be blocked prior to satisfying the user's request. Inboth of these illustrative cases, internal networks can be protectedfrom objects that may be considered outside of risk tolerances for thegiven internal network.

FIG. 1 illustrates network architecture 100, in accordance with oneembodiment. As shown, a plurality of networks 102 is provided. In thecontext of the present network architecture 100, the networks 102 mayeach take any form including, but not limited to, a local area network(LAN), a wireless network, a wide area network (WAN) such as theInternet, etc.

Coupled to the networks 102 are data server computers 104 which arecapable of communicating over the networks 102. Also coupled to thenetworks 102 and the data server computers 104 is a plurality of enduser computers 106. Such data server computers 104 and/or clientcomputers 106 may each include a desktop computer, lap-top computer,hand-held computer, mobile phone, hand-held computer, peripheral (e.g.printer, etc.), any component of a computer, and/or any other type oflogic. In order to facilitate communication among the networks 102, atleast one gateway or router 108 is optionally coupled there between.

Referring now to FIG. 2, an example processing device 200 for use inproviding a coordination of denial of connection technique according toone embodiment is illustrated in block diagram form. The processingdevice 200 may serve as a gateway or router 108, client computer 106, ora server computer 104. Example processing device 200 comprises a systemunit 210 which may be optionally connected to an input device for system260 (e.g., keyboard, mouse, touch screen, etc.) and display 270. Aprogram storage device (PSD) 280 (sometimes referred to as a hard discor computer readable medium) is included with the system unit 210. Alsoincluded with system unit 210 is a network interface 240 forcommunication via a network with other computing and corporateinfrastructure devices (not shown). Network interface 240 may beincluded within system unit 210 or be external to system unit 210. Ineither case, system unit 210 will be communicatively coupled to networkinterface 240. Program storage device 280 represents any form ofnon-volatile storage including, but not limited to, all forms of opticaland magnetic, including solid-state, storage elements, includingremovable media, and may be included within system unit 210 or beexternal to system unit 210. Program storage device 280 may be used forstorage of software to control system unit 210, data for use by theprocessing device 200, or both.

System unit 210 may be programmed to perform methods in accordance withthis disclosure (an example of which is in FIG. 4B). System unit 210comprises a processor unit (PU) 220, input-output (I/O) interface 250and memory 230. Processing unit 220 may include any programmablecontroller device including, for example, a mainframe processor, or oneor more members of the Intel Atom®, Core®, Pentium and Celeron processorfamilies from Intel Corporation and the Cortex and ARM processorfamilies from ARM. (INTEL, INTEL ATOM, CORE, PENTIUM, and CELERON areregistered trademarks of the Intel Corporation. CORTEX is a registeredtrademark of the ARM Limited Corporation. ARM is a registered trademarkof the ARM Limited Company.) Memory 230 may include one or more memorymodules and comprise random access memory (RAM), read only memory (ROM),programmable read only memory (PROM), programmable read-write memory,and solid-state memory. The PU 220 may also include some internal memoryincluding, for example, cache memory.

Processing device 200 may have resident thereon any desired operatingsystem. Embodiments may be implemented using any desired programminglanguages, and may be implemented as one or more executable programs,which may link to external libraries of executable routines that may beprovided by the provider of the coordinated IP blocking software, theprovider of the operating system, or any other desired provider ofsuitable library routines.

In preparation for performing disclosed embodiments on the processingdevice 200, program instructions to configure processing device 200 toperform disclosed embodiments may be provided stored on any type ofnon-transitory computer-readable media, or may be downloaded from aserver 104 onto the program storage device 280. As used herein,references to a “computer system” include a single computer and aplurality of individual computers working together to provide thecapability described as being performed by a computer system.

Referring now to FIG. 3, a block diagram 300 illustrates one example ofa GTI cloud 310. A GTI cloud 310 can provide a centralized function fora plurality of clients (sometimes called subscribers) without requiringclients of the cloud to understand the complexities of cloud resourcesor provide support for cloud resources. Internal to GTI cloud 310, thereare typically a plurality of servers (e.g., Server 1 320 and Server 2340). Each of the servers is, in turn, typically connected to adedicated data store (e.g., 330 and 350) and possibly a centralized datastore, such as Centralized DB 360. Each communication path is typicallya network or direct connection as represented by communication paths325, 345, 361, 362 and 370. Although diagram 300 illustrates two serversand a single centralized database, a comparable implementation may takethe form of numerous servers with or without individual databases, ahierarchy of databases forming a logical centralized database, or acombination of both. Furthermore, a plurality of communication paths andtypes of communication paths (e.g., wired network, wireless network,direct cable, switched cable, etc.) could exist between each componentin GTI cloud 310. Such variations are known to those of skill in the artand, therefore, are not discussed further here. Also, although disclosedherein as a cloud resource, the essence of functions of GTI cloud 310could be performed, in an alternate embodiment, by conventionallyconfigured (i.e., not cloud configured) resources internal to anorganization.

Referring now to FIG. 4A, flowchart 400 illustrates a prior arttechnique of a network appliance blocking an IP address based solelyupon the combination of its configuration and a score (based onfingerprint data) from a Reputation service. That is, the networkappliance, such as gateway 108, is isolated and agnostic to currentactions of any other network appliance. Beginning at block 401, anetwork appliance 108 receives an email from a remote host on anexternal network such as the Internet (assuming network appliance 108 isnot already blocking the IP address associated with the remote host).After receipt, and typically before allowing the email to enter anetwork on the “other” (e.g., internal) side of network appliance 108,network appliance 108 performs a fingerprint analysis at block 402. Alsoat block 402, data from the fingerprint analysis and information aboutthe originating connection (e.g., IP address, Hostname) of the remotehost is sent to a Trusted Source Service (TSS) performing a ReputationService (RS). A TSS is typically a provider (i.e., source) ofinformation that is trusted implicitly and relied upon by its consumers.The TSS is typically known and authenticated by clients that connect toit for any of its services. A RS can be one function of a TSS thatcomputes and publishes reputation scores for a set of objects (e.g.,service providers, services, goods or entities) within a community ordomain, based on a collection of opinions that other entities hold aboutthe objects. Next, at block 403, the RS determines a threat level (i.e.,score) from information available to the RS. Information available tothe RS includes data sent from network appliance 108 about the objectunder consideration along with information previously received at theRS. After analysis at the RS, the RS sends a score for the object backto network appliance 108 (block 404). As mentioned above, the scoreindicates a risk level of the object as determined by pertinentinformation available to the RS. Finally, at block 405, networkappliance 108 determines whether to allow the object to proceed (oraccess to the object allowed) to its intended recipient. If not allowed,network appliance 108 can block transmission or access to the object.Also, based on its configuration, network appliance 108 may block futurecommunication from the IP address of the identified questionable hostfor a period of time (e.g., default of 10 minutes).

Referring to FIG. 4B, flowchart 410 illustrates a technique differingfrom prior art techniques that allows a particular network appliance 108to perform coordinated blocking of IP addresses with other networkappliances via a centralized service as could be implemented by onedisclosed embodiment. Beginning at block 420, network appliance 108receives an email (or other object request). Next, at block 430, networkappliance 108 can perform finger printing (or similar type analysis) andsend information to a RS. Network appliance 108 may then send fingerprint data and originating connection information to a TSS performingRS. Different from prior art techniques, network appliance 108 can sendadditional information for analysis by the RS. Additional informationcan include one or more of, appliance identification information,appliance configuration information, current blocking information, andnetwork communication information. At block 440 the RS can, in oneembodiment, determine a threat level for the object in a manner the sameas or similar to prior art techniques. At block 450, the RS candetermine if particular network appliance 108 can be controlled toreceive more samples (i.e., network appliance 108 is participating in acoordinated blocking as disclosed herein). RS can determine a type ofresponse to send to network appliance 108 based on the appliance'sparticipation status (block 460). If this particular appliance is notparticipating (the NO prong of decision 470), the RS can send a score tothe appliance (block 475) much like in the prior art. Alternatively, ifthe appliance is participating (the YES prong of decision 470), the RScan send a response that differs from prior art techniques (block 480)with the score in addition to a blocking flag and/or a requestedblocking time (which may be zero indicating not to block for any time).Finally, at block 490, the network appliance (gateway) receiving theenhanced information can update its blocking strategy. The blockingstrategy can be updated based upon if the appliance is allowed to blockfor suggested times (e.g., possible additional local configurationsettings) and accordingly block for the configured/requested amount oftime.

As should be apparent from the above explanation, embodiments disclosedherein allow the network appliance and TSS/RS to work together alongwith other participating network appliances in a coordinated fashion sothat the TSS/RS can continue to receive information that might otherwisehave been blocked in its entirety. Therefore, the TSS/RS can provideenhanced and more comprehensive information to all clients subscribingto the TSS/RS. Note, the TSS/RS could track which clients areparticipating and how they are participating to make sure thatunnecessary “non-blocking requests” are kept to a minimum so as not toover burden appliances asked to perform additional analysis of data thatmight have been previously blocked. Also, in the embodimentsspecifically disclosed herein, the RS objects comprise web-sites andemails, however other types of objects are contemplated and couldbenefit from concepts of this disclosure. For example, the RS may beaggregating IP addresses (the source of the connection), conversationattributes (such as senders/recipients), the count of the number oftimes this IP has made connections to other mail servers (frequency). Itmay also be worth noting that both the identification of a rogue hostand the blocking of a rogue host could be applied to more than justemail, any number of IP technologies could be included, such as FileTransfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Voice OverIP (VoIP), Instant Messaging (IM), etc.

Referring now to FIG. 5, block diagram 500 illustrates a plurality ofnetworks (520 and 530) connected by connection links 501 to each otherand to the Internet (510) via a plurality of network appliances (540 and550) configured to perform coordinated blocking utilizing the techniqueof FIG. 4B. Networks 520 and 530 represent two distinct networks whichmay be internal networks of two different organizations or two differentphysical or logical networks of a single organization. For example, tworegional divisions of a geographically dispersed organization or twodivisions of a single organization that may have different securityrequirements. In any of the above cases, network 520 is connectedexternally via network appliances 1A-N (540) and network 530 isconnected externally via network appliances 2A-N (550).

Network 520 illustrates a simplified internal network that may betypical of a corporate network connected to the Internet 510 via one ormore network appliances 1A-N (540). Internal to network 520 are one ormore email servers 522 and a plurality of internal computer and networkdevices (ICND) 524 and 526. ICND 1A 524 represents a single computernetwork device and ICND 1B-1N 526 represents a plurality of othercomputer network devices which may be additional routers, laptopcomputers, desktop computers, or other devices. Each network device maybe connected to a network via wired connections or wireless connectionsutilizing networks and network protocols as are known to those ofordinary skill in the art. An example below illustrates how theplurality of internal devices (522, 524 and 526) can interact with oneor more network appliances 540 that provide connections to externalnetworks such as Internet 510. Similarly, network 530 illustrates asecond internal network with a second set of email servers 532, singleICND 2A 534 and plurality of ISNDs 2B-2N 536 with each of these internaldevices connected to Internet 510 via network appliance(s) 550. Asexplained above, prior art techniques for blocking IP addresses wouldhave all network appliances 540 working independently from networkappliances 550. In contrast, disclosed embodiments allow for networkappliances 540 and network appliances 550 to work in a “coordinated”fashion with centralized information available at GTI cloud 310 eventhough network appliances 540 and network appliances 550 may neverdirectly communicate or have actual knowledge of each other.

Internet 510 illustrates a greatly simplified view of the actualInternet. Internet 510 includes a plurality of external email servers1-N 514, a plurality of external web servers 1-N, potential rogueservers 1-N 517, and GTI cloud 310 from FIG. 3. As is known to those ofordinary skill in the art, each of the servers in Internet 510 wouldhave a unique address and identification information with some of theservers being legitimate servers and other servers presenting possiblethreats as rogue servers. As used herein, rouge servers refer to serversimpersonating legitimate servers or servers acting in a manner as topossibly disrupt service via spam, malware, viruses, denial of serviceattacks, etc. A rouge server may in fact be a legitimate server that hasbecome affected in some manner such that it is currently not functioningin an appropriate manner and should be blocked for a period of time toprevent a cascade of disruption across other networks.

The following example outlines one possible scenario of networkappliances, which may or may not belong to a single organization but areconnected to a consistent RS and could be working in a coordinatedfashion with the RS. This example allows a RS to influence an individualgateway to control whether it should block a specific IP address, whilestill protecting the end user from a threat. First, a gateway wouldreceive an email for analysis prior to sending it to its intendedrecipient (e.g., ICND 524). The gateway performs fingerprintingoperation(s) and sends: fingerprint data, originating connectioninformation, gateway blocking configuration information (e.g.,configured to block or not and blocking time if configured to block),reception rate (e.g., rate at which the gateway is receiving connectionsfrom this IP address—possibly including blocked connections from theprevious X minutes). The RS determines a threat level and determines ifit would like the gateway to continue to receive samples from thesuspect IP address. The RS's determination can be based on if the userhas configured the gateway to block IP addresses or not and whetherother gateways are receiving threats from the same IP address. The RScan further determine an amount of time it would like to request thegateway continue to receive from an IP address that would otherwise havebeen blocked and base the request on the rate at which connections arearriving from the IP address at this and other gateways. Next, the RScan send a response to the requesting gateway with: a score for theparticular email (so that the gateway knows what to do with thisparticular message); a flag indicating whether the gateway can block theIP address (from the perspective of the RS) and the amount of time theRS would like the gateway to block the IP address. As a result, if thegateway is allowed to block the IP address, and the user has configuredthe gateway to block, the IP address can be blocked for the configuredamount of time. As should be apparent, the gateway can still use IPaddress blocking as an effective means to block threats from knownmalicious Internet hosts and the RS can likely receive enough sampledata to maintain its effectiveness and reduce or eliminate the conditionwhere the reputation system cannot work effectively because allappliances are blocking IP addresses, as soon as the first threat isdetected from the address.

As explained above, the RS can determine an amount of time that aparticular gateway should block an IP address. This determination can besent to the gateway as a “request” to which the gateway can agree ordisagree based on its own configuration. The determination of agreementby the gateway may be based on the actual score returned along withother local configuration parameters of the gateway. Alternatively, theRS and gateways could be configured in a master-slave arrangement wherethe RS determination over-rides a local configuration. Yet another localconfiguration setting at the gateway could allow the RS to be a masteronly when scores are within a pre-defined range or under/over athreshold. Combinations of the above as well as other combinations for agateway determining if it should agree to the “request” are alsopossible.

In the foregoing description, for purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the disclosed embodiments. It will be apparent,however, to one skilled in the art that the disclosed embodiments may bepracticed without these specific details. In other instances, structureand devices are shown in block diagram form in order to avoid obscuringthe disclosed embodiments. References to numbers without subscripts orsuffixes are understood to reference all instance of subscripts andsuffixes corresponding to the referenced number. Moreover, the languageused in this disclosure has been principally selected for readabilityand instructional purposes, and may not have been selected to delineateor circumscribe the inventive subject matter, resort to the claims beingnecessary to determine such inventive subject matter. Reference in thespecification to “one embodiment” or to “an embodiment” means that aparticular feature, structure, or characteristic described in connectionwith the embodiments is included in at least one disclosed embodiment,and multiple references to “one embodiment” or “an embodiment” shouldnot be understood as necessarily all referring to the same embodiment.

It is also to be understood that the above description is intended to beillustrative, and not restrictive. For example, above-describedembodiments may be used in combination with each other. Many otherembodiments will be apparent to those of skill in the art upon reviewingthe above description. The scope of the invention therefore should bedetermined with reference to the appended claims, along with the fullscope of equivalents to which such claims are entitled. In the appendedclaims, terms “including” and “in which” are used as plain-Englishequivalents of the respective terms “comprising” and “wherein.”

What is claimed is:
 1. A computer system configured to facilitate acoordinated source blocking method, the computer system comprising: oneor more connections to a plurality of computer networks; and one or moreprocessors communicatively coupled to each other wherein the one or moreprocessors are collectively configured to: receive information from afirst gateway, the information pertaining to a network data transmissionfrom a source address, the source address on a first network and thenetwork data transmission intended for a destination address on a secondnetwork, the first and second network not directly connected to eachother; determine a score based on the received information; determine aparticipation status, the participation status indicating the firstgateway's participation in a coordinated source blocking method; preparea first response message for transmission to the first gateway, thefirst response message comprising an indication of the score and ablocking request indicator; and initiating transmission of the firstresponse message to the first gateway.
 2. The computer system of claim1, wherein the first response message comprises a blocking requestindicator only if the participation status indicates participation inthe coordinated source blocking method.
 3. The computer system of claim1, wherein the network data transmission comprises an email message, adownload object, a universal resource locator (URL), an instant message,a file transfer protocol (FTP) transmission, a hypertext transferprotocol (HTTP) transmission, a voice over internet protocol (VoIP)transmission, or a combination thereof.
 4. The computer system of claim1, wherein protocol of the network data transmission comprises InternetProtocol version 4 (IPv4) or Internet Protocol version 6 (IPv6).
 5. Thecomputer system of claim 1, wherein the source address comprises aninternet protocol (IP) address, a domain name, a universal resourcelocator (URL), a hostname, or a combination thereof.
 6. The computersystem of claim 1, wherein the information received from the firstgateway comprises a finger print of at least a portion of the networkdata transmission.
 7. The computer system of claim 1, wherein theblocking request indicator in the first response message is based uponblocking status, relative to the source address, of a second gateway. 8.The computer system of claim 1, wherein the blocking request indicatorin the first response message is based upon network activity associatedwith the source address of the network data transmission.
 9. Thecomputer system of claim 1, wherein the blocking request indicator inthe first response message is based upon configuration information ofthe first gateway.
 10. The computer system of claim 1, wherein theblocking request indicator in the first response message is based uponthe determined score.
 11. The computer system of claim 1, wherein thecomputer system comprises a cloud resource.
 12. The computer system ofclaim 1, wherein the one or more processors are further configured toproactively send a second message to a second gateway participating inthe coordinated blocking method, the second message comprising ablocking request indicator pertaining to the source address of thenetwork data transmission received by the first gateway regardless of ifthe second gateway has received a transmission from the source address.13. The computer system of claim 12, wherein the second message is sentto the second gateway to request the second gateway to not block thesource address.
 14. The computer system of claim 13, wherein the requestto not block the source address indicates a period of time to not blockthe source address.
 15. The computer system of claim 12, wherein thesecond message is sent to the second gateway to request the secondgateway to block the source address.
 16. A non-transitory computerreadable medium comprising program instructions stored thereon toconfigure one or more processors to: receive information from a firstgateway, the information pertaining to a network data transmission froma source address, the source address on a first network and the networkdata transmission intended for a destination address on a secondnetwork, the first and second network not directly connected to eachother; determine a score based on the received information; determine aparticipation status indicating if the first gateway is participating ina coordinated source blocking method; prepare a first response messagefor transmission to the first gateway, the first response messagecomprising an indication of the score and a blocking request indicator;and initiate transmission of the first response message to the firstgateway.
 17. The non-transitory computer readable medium of claim 16wherein the blocking request indicator in the first response message isbased upon the determined score and the determined participation statusof the first gateway.
 18. The non-transitory computer readable medium ofclaim 16 further comprising program instruction to configure one or moreprocessors to send a second message to a second gateway participating inthe coordinated blocking method, the second message comprising ablocking request indicator pertaining to the source address of thenetwork data transmission received by the first gateway regardless of ifthe second gateway has received a transmission from the source address.19. A network appliance gateway configured to participate in acoordinated source address blocking method, the network appliancegateway comprising: one or more connections to a first network and asecond network, the first and second networks not directly connected toeach other; and one or more processors communicatively coupled to eachother, wherein the one or more processors are configured to: receive anetwork data transmission from a source address, the source address onthe first network and the network data transmission intended for adestination address on the second network; perform a fingerprintanalysis of at least a portion of the network data transmission; send afirst message to a centralized blocking coordination computer system,the first message comprising an indication of the fingerprint analysis,an indication of the source address, and blocking configurationinformation pertaining to the network appliance gateway wherein theblocking configuration information comprises an indication ofparticipation status, in a coordinated source address blocking method,for the network appliance gateway; receive a second message in responseto the first message, the second message comprising a score related tothe information in the first message and a blocking request; anddetermine to block or not block communication from the source addressbased on the blocking request and on information in the second message.20. The network appliance gateway of claim 19 wherein the networkappliance gateway is configured as a subscriber to a cloud performing acentralized blocking function.
 21. The network appliance gateway ofclaim 19 wherein the blocking request indicates to block transmissionsfrom the source address.
 22. The network appliance gateway of claim 21wherein blocking of transmissions from the source address is onlyperformed if the score is above a configured threshold.
 23. The networkappliance gateway of claim 21 wherein blocking of transmissions from thesource address is determined based on local configuration information ofthe network appliance gateway.
 24. The network appliance gateway ofclaim 21 wherein the second message further indicates a period of timeassociated with the request to block transmissions from the sourceaddress.
 25. The network appliance gateway of claim 19 wherein thesecond message further comprises network communication informationpertaining to the source address and blocking of transmissions from thesource address is determined based at least in part on the networkcommunication information.
 26. The network appliance gateway of claim19, wherein the network data transmission comprises an email message, adownload object, a universal resource locator (URL), an instant message,a file transfer protocol (FTP) transmission, a hypertext transferprotocol (HTTP) transmission, a voice over internet protocol (VoIP)transmission, or a combination thereof.
 27. The network appliancegateway of claim 19, wherein protocol of the network data transmissioncomprises Internet Protocol version 4 (IPv4) or Internet Protocolversion 6 (IPv6).
 28. The network appliance gateway of claim 19, whereinthe source address comprises an internet protocol (IP) address, a domainname, a universal resource locator (URL), a hostname, or a combinationthereof.
 29. A non-transitory computer readable medium comprisingprogram instructions stored thereon to configure one or more processorsto: receive a network data transmission from a source address, thesource address on a first network and the network data transmissionintended for a destination address on a second network; perform afingerprint analysis of at least a portion of the network datatransmission; send a first message to a centralized blockingcoordination computer system, the first message comprising an indicationof the fingerprint analysis, an indication of the source address, andblocking configuration information pertaining to the network appliancegateway wherein the blocking configuration information comprises anindication of participation status, in a coordinated source addressblocking method, for a network appliance gateway; receive a secondmessage in response to the first message, the second message comprisinga score related to the information in the first message and a blockingrequest; and determine to block or not block communication from thesource address based on the blocking request and on information in thesecond message.
 30. A network appliance gateway configured toparticipate in a coordinated source address blocking method, the networkappliance gateway comprising: one or more connections to a first networkand a second network, the first and second networks not directlyconnected to each other; and one or more processors communicativelycoupled to each other, wherein the one or more processors are configuredto: receive a message from a centralized blocking coordination computersystem, the message comprising a blocking request for the networkappliance gateway, the blocking request pertaining to a source addresson the first network, wherein the network appliance gateway has notpreviously received a network data transmission from the source address;and determine to block or not block communication from the sourceaddress based on the blocking request and on information in the messagewherein the determination is based at least in part on localconfiguration information of the network appliance gateway.